Converting CRT to PEM Format

Yesterday we needed to convert SSL certificate received from an authorized agency from crt to pem to make it compatible with a specific software. In this article, we’ll show you the most easy way to convert your certificate file from .crt to .pem.

PEM is a popular certificate format among certification centers. Certificate files have the extension .pem, .crt, .cer, and .key. Files are encoded in Base64 and necessarily start with the line “—– BEGIN CERTIFICATE —–” and end with the line “—– END CERTIFICATE —–“. Apache and similar servers use certificates in PEM format.

First of all, check, maybe your certificate file is already in PEM format, but the file itself has a .crt extension. Try to open your .crt file using any text editor, or list its contents using PowerShell.

gc .\cert.crt

If the contents of the file start with —– BEGIN, and you can read it in a text editor, this indicates that the file already uses the base64 format, which can be read in ASCII (the file is not in binary format).

This means that your certificate is already in PEM format. Just change the file extension from .crt to .pem in File Explorer.

In case your crt file is in binary format, you can convert it using the OpenSSL utility for Windows (in our case we have used the open SSL port from https://sourceforge.net/projects/gnuwin32/ – version 0.9.8h).

Download the archive with OpenSSL binaries (openssl-0.9.8h-1-bin.zip) and unpack it to local folder (for example C:\OpenSSL). Copy your .crt file to the same directory. After that, run the command prompt with administrator privileges and go to the folder:

cd C:\OpenSSL\bin

If the crt file is in binary format, then run this command to convert it to PEM format:

Change certificates file names to your own. This command help you to convert a DER certificate file (.crt, .cer, .der) to PEM.

After executing the command, the new file my_certificate.crt.pem should appear in the same folder. Open it and make sure it is encoded in Base64. This certificate can now be imported to your web server or anywhere.

If you run the openssl.exe utility and received an error: Unable to load config info from /usr/local/ssl/openssl.cnf, you need to setup a new environment variable using the following command: